New features available on VMware vSphere PowerCLI 11.0 is to support the new all updates and release of VMware products , find the below following has been features,
New Security module
vSphere 6.7 Update 1
NSX-T 2.3
Horizon View 7.6
vCloud Director 9.5
Host Profiles – new cmdlets for interacting with
New Storage Module updates
NSX-T in VMware Cloud on AWS
Cloud module multiplatform support
Get-ErrorReport cmdlet has been updated
PCloud module has been removed
HA module has been removed
Now we will go through above mentioned new features to find what functionality it bring to PowerCLI 11.0
What is PowerCLI 11.0 New Security Module
The new security module brings more powerful automation features to PowerCLI 11.0 available new cmdlets include the following
Get-SecurityInfo
Get-VTpm
Get-VTpmCertificate
Get-VTpmCSR
New-VTpm
Remove-VTpm
Set-VTpm
Unlock-VM
Also New-VM cmdlet has enhanced functionality with the security module functionality and it includes parameters like KmsCluster, StoragePolicy, SkipHardDisks etc which can be used while creating new virtual machines with PowerCLI .In addition to that Set-VM, Set-VMHost, Set-HardDisk, and New-HardDisk cmdlets are added.
Host Profile Additions
There are few additions to the VMware.VimAutomation.Core module that will make managing host profiles from PowerCLI
Get-VMHostProfileUserConfiguration
Set-VMHostProfileUserConfiguration
Get-VMHostProfileStorageDeviceConfiguration
Set-VMHostProfileStorageDeviceConfiguration
Get-VMHostProfileImageCacheConfiguration
Set-VMHostProfileImageCacheConfiguration
Get-VMHostProfileVmPortGroupConfiguration
Set-VMHostProfileVmPortGroupConfiguration
Storage Module Updates
These new Storage Module updates specifically for VMware vSAN , the updates has predefined time ranges when using Get-VsanStat. In addition Get-VsanDisk has additional new properites that are returned including capacity, used percentage, and reserved percentage. Following are the cmdlets have been added to automate vSAN
Get-VsanObject
Get-VsanComponent
Get-VsanEvacuationPlan – provides information regarding bringing a host into maintenance mode and the impact of the operation on the data, movement, etc
On March 20, 2018 Microsoft has released two new quarterly updates:
Exchange 2016 Cumulative Update 9 (CU9)
Exchange 2013 Cumulative Update 20 (CU20)
TLS 1.2
There aren’t too many new features in these CUs. The most important ‘feature’ is that TLS 1.2 is now fully supported (most likely you already have TLS 1.2 only on your load balancer). This is extremely supported since Microsoft will support TLS 1.2 ONLY in Office 365 in the last quarter of this year (see the An Update on Office 365 Requiring TLS 1.2 Microsoft blog as well).
Dot.net Support
Support for .NET Framework 4.7.1, or the ongoing story about the .NET Framework. The .NET Framework 4.7.1 is fully supported by Exchange 2016 CU9 and Exchange 2013 CU20. Why is this important? For the upcoming CUs in three months (somewhere in June 2018) the .NET Framework 4.7.1 is mandatory, so you need these to be installed in order to install these upcoming CUs.
Please note that .NET Framework 4.7 is NOT supported!
If you are currently running an older CU of Exchange, for example Exchange 2013 CU12, you have to make an intermediate upgrade to Exchange 2013 CU15. Then upgrade to .NET Framework 4.6.2 and then upgrade to Exchange 2013 CU20. If you are running Exchange 2016 CU3 or CU4, you can upgrade to .NET Framework 4.6.2 and then upgrade to Exchange 2016 CU9.
Schema changes
If you are coming from a recent Exchange 2013 CU, there are no schema changes since the schema version (rangeUpper = 15312) hasn’t changed since Exchange 2013 CU7. However, since there can be changes in (for example) RBAC, it’s always a good practice to run the Setup.exe /PrepareAD command. For Exchange 2016, the schema version (rangeUpper = 15332) hasn’t changed since Exchange 2016 CU7.
As always, check the new CUs in your lab environment before installing into your production environment!!
Exchange Server 2013 enters the Extended Support phase of product lifecycle on April 10th, 2018. During Extended Support, products receive only updates defined as Critical consistent with the Security Update Guide. For Exchange Server 2013, critical updates will include any required product updates due to time zone definition changes.
The Microsoft Deployment Toolkit (MDT), build 8450, is now available on the Microsoft Download Center. This update supports the Windows Assessment and Deployment Kit (ADK) for Windows 10, version 1709, available on the Microsoft Hardware Dev Center(adksetup.exe file version 10.1.16299.15).
Here is a summary of the significant changes in this build of MDT:
Supported configuration updates
Windows ADK for Windows 10, version 1709
Windows 10, version 1709
Configuration Manager, version 1710
Quality updates (titles of bug fixes)
Win10 Sideloaded App dependencies and license not installed
CaptureOnly task sequence doesn’t allow capturing an image
Error received when starting an MDT task sequence: Invalid DeploymentType value “” specified. The deployment will not proceed
ZTIMoveStateStore looks for the state store folder in the wrong location causing it to fail to move it
xml contains a simple typo that caused undesirable behavior
Install Roles & Features doesn’t work for Windows Server 2016 IIS Management Console feature
Browsing for OS images in the upgrade task sequence does not work when using folders
MDT tool improperly provisions the TPM into a Reduced Functionality State (see KB 4018657 for more information)
Updates to ZTIGather chassis type detection logic
Upgrade OS step leaves behind SetupComplete.cmd, breaking future deployments
Includes updated Configuration Manager task sequence binaries
Many new items have been introduced, such as HTML5 video redirection support for the Chrome browser and the ability to configure Windows Start menu shortcuts for desktop and application pools using the Horizon Administrator console. As always, you can count on increased operating system support for virtual desktops and clients.
Here is an overview of the new features:
VMware Horizon 7.3 Server Enhancements
Horizon Help Desk Tool
Displays application process resources with reset control
Role-based access control for help desk staff
Activity logging for help desk staff
Displays Horizon Client information
Granular logon time metrics
Blast Extreme display protocol metrics
Instant Clone Technology
Instant-clone desktops can now use dedicated assignment to preserve the hostname, IP address and MAC address of a user’s desktop
Windows Server OS is now supported for desktop use
Instant clones are now compatible with Storage DRS (sDRS)
If there are no internal VMs in all four internal folders created in vSphere Web Client, these folders are unprotected, and you can delete them
IcUnprotect.cmd utility can now unprotect or delete template, replica or parent VMs or folders from vSphere hosts
Windows Start Menu Shortcuts Created Using the Admin Console
Create shortcuts to Horizon 7 resources:
Published applications
Desktops
Global entitlements
Cloud Pod Architecture Scale
Total session limit is increased to 140,000
The site limit is now seven
VMware Horizon Apps
This update makes Horizon Apps easier to use and allows the administrator to restrict entitlements
Restrict access to desktop and application pools from specific client machines
Resiliency for Monitoring
If the event database shuts down, Horizon administrator maintains an audit trail of the events that occur before and after the event database shutdown
Database Support
Always-On Availability Groups feature for Microsoft SQL Server 2014
ADMX Templates
Additional GPO settings for ThinPrint printer filtering, HTML5 redirection and enforcement of desktop wallpaper settings
Remote Experience
Horizon Virtualization Pack for Skype for Business
Multiparty audio and video conferencing
Horizon 7 RDSH support
Windows Server 2008 R2
Windows Server 2012 R2
Forward Error Correction (FEC)
Quality of Experience (QOE) metrics
Customized ringtones
Call park and pickup
E911 (Enhanced 911) support, to allow the location of the mobile caller to be known to the call receiver
USB desktop-tethering support
Horizon Client for Linux support for the following Linux distributions:
Ubuntu 12.04 (32-bit)
Ubuntu 14.04 (32 & 64-bit)
Ubuntu 16.04 (64-bit)
RHEL 6.9/CentOS 6.x (64-bit)
RHEL 7.3 (64-bit)
SLED12 SP2 (64-bit)
Additional NVIDIA GRID vGPU Support
Support for the Tesla P40 graphics card from NVIDIA
HTML5 Video Redirection
View HTML 5 video from a Chrome browser and have video redirected to the client endpoint for smoother and more efficient video playback
Performance Counter Improvements
Windows agent PerfMon counters improvements for Blast Extreme sessions: imaging, audio, client-drive redirection (CDR), USB and virtual printing
Linux Virtual Desktops
KDE support: Besides RHEL/CentOS 6.x, the KDE GUI is now supported on RHEL/CentOS 7.x, Ubuntu 14.04/16.04 and SUSE Linux Enterprise Desktop 11 SP4
MATE interface is now supported on Ubuntu 14.04 and Ubuntu 16.04
Blast Extreme Adaptive Transport is now supported for Linux desktops
vGPU hardware H.264 encoder support has been added
USB Redirection
USB redirection is supported in nested mode
ThinPrint Filtering
Administrators can filter out printers that should not be redirected
Horizon Client 4.6 Updates
Security Update
All clients have been updated to use SHA-2 to prevent SHA-1 collision attacks
Session Pre-launch
Session pre-launch is now extended to both Horizon Client for macOS and Horizon Client for Windows
Apteligent
Integration of Apteligent crash log
Blast Extreme
Improvements in Blast Extreme Adaptive Transport mode for iOS and macOS
User can change Blast Extreme settings without having to disconnect
Horizon Client 4.6 for Windows
Support for UNC path with CDR
Horizon Client 4.6 for macOS
Support for macOS Sierra and macOS High Sierra
Selective monitor support
Norwegian keyboard support
Horizon Client 4.6 for iOS
CDR support with drag and drop of files in split view
iOS split keyboard enhancement
iOS UI updates
Horizon Client 4.6 for Android
Android Oreo support
Manage the Horizon server list with VMware AirWatch
Simple shortcuts
External mouse enhancements
Real-Time Audio-Video (RTAV) support for Android and Chrome OS
Horizon Client 4.6 for Linux
Blast Extreme Adaptive Transport support
Horizon Client 4.6 for Windows 10 UWP
Network recovery improvements
Horizon HTML Access 4.6
HTML Access for Android with a revised UI
Customization of HTML Access page
Horizon Help Desk Tool
The Horizon Help Desk Tool provides a troubleshooting interface for the help desk that is installed by default on Connection Servers. To access the Horizon Help Desk Tool, navigate to https://<CS_FQDN>/helpdesk, where <CS_FQDN> is the fully qualified domain name of the Connection Server, or click the Help Desk button in the Horizon Administrator console.
The Help Desk Tool was introduced in Horizon 7.2 and has been greatly expanded upon in the Horizon 7.3 release.
Help Desktop Tool features with Horizon 7.2:
Virtual machine metrics
Remote assistance
Session control (restart, logoff, reset, and disconnect)
Sending messages
Additional features with Horizon 7.3:
Display application process resources with reset control
Role-based access control for help desk staff
Activity logging for help desk staff
Granular login time metrics
Display Horizon Client information
User Session Details
The user session details appear on the Details tab when you click a user name in the Computer Name option on the Sessions tab. You can view details for Horizon Client, the VDI desktop or RDSH-published desktop, CPU and memory stats, and many other details.
Client version
Unified Access Gateway name and IP address
Logon breakdown (client to broker):
Brokering
GPO load
Profile load
Interactive
Authentication
Blast Extreme Metrics
Blast extreme metrics that have been added include estimated bandwidth (uplink), packet loss, and transmitted and received traffic counters for imaging, audio, and CDR.
Note the following behavior:
The text-based counters do not auto-update in the dashboard. Close and reopen the session details to refresh the information.
The counters for transmitted and received traffic counters are accumulative from the point the session is queried/polled.
Blast Extreme Metrics for a Windows 10 Virtual Desktop Session
Display and Reset Application Processes and Resources
This new feature provides help desk staff with a granular option to resolve problematic processes without affecting the entire user session, similar to Windows Task Manager. The session processes appear on the Processes tab when you click a user name in the Computer Name option on the Sessions tab. For each user session, you can view additional details about CPU- and memory-related processes to diagnose issues.
Role-based Access Control and Custom Roles
You can assign the following predefined administrator roles to Horizon Help Desk Tool administrators to delegate the troubleshooting tasks between administrator users:
Help Desk Administrator
Help Desk Administrator (Read Only)
You can also create custom roles by assigning the Manage Help Desk (Read Only) privilege along with any other privileges based on the Help Desk Administrator role or Help Desk Administrator (Read Only) role.
Members of the Help Desk Administrators (Read Only) role do not have access to following controls; in fact, functions such as Log Off and Reset are not presented in the user interface.
Watch this brief demonstration video of the Horizon Help Desk Tool to see it in action:
Horizon Virtualization Pack for Skype for Business
You can now make optimized audio and video calls with Skype for Business inside a virtual desktop without negatively affecting the virtual infrastructure and overloading the network.
All media processing takes place on the client machine instead of in the virtual desktop during a Skype audio and video call.
Horizon Virtualization Pack for Skype for Business offers the following supported features:
System Requirements
The following table outlines the system requirements for the new release:
Supported Clients
The following table provides the list of support Horizon clients:
Start Menu Shortcuts Configured Through the Admin Console
This feature improves the user experience by adding desktop and application shortcuts to the Start menu of Windows client devices.
You can use Horizon Administrator to create shortcuts for the following types of Horizon 7 resources:
Published applications
Desktops
Global entitlements
Shortcuts appear in the Windows Start menu and are configured by IT. Shortcuts can be categorized into folders.
Users can choose at login whether to have shortcuts added to the Start menu on their Windows endpoint device.
Watch this brief demonstration video of the new Desktop and Apps Shortcuts feature to see it in action:
Dedicated Desktop Support for Instant Clones
Upon the initial release of instant clones in Horizon 7, we supported floating desktop pools and assignments only. Further investments have been made to Instant Clone Technology that add support for dedicated desktop pools. Fixed assignments and entitlements of users to instant-clone machines is now provided as part of Horizon 7.3.
Dedicated instant-clone desktop assignment means that there is a 1:1 relationship between users and desktops. Once an end user is assigned to a desktop, they will consistently receive access to the same desktop and corresponding virtual machine. This feature is important for apps that require a consistent hostname, IP address, or MAC address to function properly.
Note: Persistent disks are not supported. Fixed assignments to desktops does not mean persistence for changes. Any changes that the user makes to the desktop while in-session will not be preserved after logoff, which is similar to how a floating desktop pool works. With dedicated assignment, when the user logs out, a resync operation on the master image retains the VM name, IP address, and MAC address.
Support for the Tesla P40 Graphics Card from NVIDIA
VMware has expanded NVIDIA GRID support with Tesla P40 GPU cards in Horizon 7.3.
HTML5 Video Redirection
This feature provides the ability to take the HTML5 video from a Chrome (version 58 or higher) browser inside a Windows VDI or RDSH system and redirect it to Windows clients. This feature uses Blast Extreme or PCoIP side channels along with a Chrome extension.
The redirected video is overlaid on the client and is enabled as well as managed using GPO settings.
Benefits include:
Supports generic sites such as YouTube, without requiring a server-side plugin.
Provides smooth video playback comparable to the native experience of playing video inside a browser on the local client system.
Reduces data center network traffic and CPU utilization on the vSphere infrastructure hosts.
Improved USB Redirection with User Environment Manager
The default User Environment Manager timeout value has been increased. This change ensures that the USB redirection Smart Policy takes effect even when the login process takes longer than expected.
With Horizon Client 4.6, the User Environment Manager timeout value is configured only on the agent and is sent from the agent to the client.
You can now bypass User Environment Manager control of USB redirection by setting a registry key on the agent machine (VDI desktop or RDSH server). This change ensures that smart card SSO works on Teradici zero clients. Note: Requires a restart.
The Windows Agent PerfMon counters for the Blast Extreme protocol have been improved to update at a constant rate and to be even more accurate.
Counters include:
Imaging
Audio
CDR
USB
Virtual printing
Linux Virtual Desktops
Features and functions for Horizon 7 for Linux virtual desktops have been expanded:
KDE support – Besides RHEL/CentOS 6.x, the KDE GUI is now supported on RHEL/CentOS 7.x, Ubuntu 14.04/16.04, SUSE Linux Enterprise Desktop 11 SP4.
Support for the MATE interface on Ubuntu 14.04, Ubuntu 16.04.
Blast Extreme Adaptive Transport support.
vGPU hardware H.264 encoder support.
USB Redirection Support in Nested Mode
The USB redirection feature is now supported when you use Horizon Client in nested mode. When using nesting–for example, when opening RDSH applications from a VDI desktop–you can now redirect USB devices from the client device to the first virtualization layer and then redirect the same USB device to the second virtualization layer (that is, nested session).
Filtering Redirected Printers
You can now create a filter to specify the printers that should not be redirected with ThinPrint. A new GPO ADMX template (vmd_printing_agent.admx) has been added to enable this functionality.
By default, the rule permits all client printers to be redirected.
Supported attributes:
PrinterName
DriverName
VendorName
Supported operators:
AND
OR
NOT
Supported searching pattern is a regular expression.
Blast Extreme Improvements in CPU Usage
Now even lower CPU usage is achieved with adaptive Forward Error Correction algorithms. This clever mechanism decides how to handle error correction, lowering CPU usage within virtual desktop machines as well as on client endpoint devices.
Blast Extreme Adaptive Transport Side Channel
New support has been added for Blast Extreme Adaptive Transport side channels for USB and CDR communications. Once enabled, TCP port 32111 for USB traffic does not need to be opened, and USB traffic uses a side channel. This feature is supported for both virtual desktops and RDS hosts.
Feature is turned off by default.
Enable the feature through a registry key: HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Blast\Config\UdpAuxiliaryFlowsEnabled 1
Entitlement Restrictions Based on Machine Name
This feature allows IT administrators to restrict access to published applications and desktops based on both client computer and user. With client restrictions for RDSH, it is now possible to check AD security groups for specific computer names. Users only have access to desktops and apps when both the user and the client machine are entitled. For this release, the feature is supported only for Windows clients and works with global entitlements.
Pre-Launch Improvements
Pre-launch provides the ability to launch an empty (application-less) session when connecting to the Connection Server. The feature is now also available to Windows clients, in addition to macOS.
Also, it is no longer necessary to manually make changes to the client settings. You can configure automatic reconnection.
Blast Extreme Adaptive Transport Mode for iOS and macOS
With prior client releases, users were required to configure their Blast Extreme settings before they connected to the Connection Server. After a connection was established, the options to change the Blast Extreme setting—which included H.264, Poor, Typical, and Excellent—were unavailable.
With this release, users can change the network condition setting from Excellent to Typical or the reverse while inflight to sessions. Doing so also changes the protocol connection type between TCP (for Excellent) and UDP (for Typical).
Note: End users will not be able to change the network condition setting if Poor is selected before establishing a session connection.
Horizon Client for Windows
Horizon Client 4.6 updates include:
Additional command-line options for the new client installer – When silently installing the Windows client, using the /s flag, you can now also set:
REMOVE-SerialPort,Scanner – Removes the serial port, scanner, or both.
DESKTOP_SHORTCUT-0 – Installs without a desktop shortcut.
STARTMENU_SHORTCUT-0 – Installs without a Start menu shortcut.
Support for UNC paths with client drive redirection (CDR):
Allows remote applications to access files from a network location on the client machine. Each location gets its own drive letter inside the remote application or VDI desktop.
Folders residing on UNC paths can now be redirected with CDR, and get their own drive letter inside the session, just as any other shared folder.
Horizon Client for macOS
Horizon Client 4.6 updates include:
Apple macOS High Sierra day 0 support.
Users can select which monitors to use for VDI sessions and which to use for the local system.
Norwegian keyboard support and mappings are now available
Horizon Client for iOS
Horizon Client 4.6 updates include:
iOS 11 support
iOS split keyboard update – Removes the middle area in the split keyboard for a better view of the desktop
New dialog box for easy connection to a Swiftpoint Mouse
Horizon Client for Android
Horizon Client 4.6 updates include:
Android 8.0 Oreo support.
Server URL configuration – Allows administrators to configure a list of Connection Servers and a default Connection Server on Android devices managed by VMware AirWatch.
Android and Chrome OS Client Updates
Horizon Client 4.6 for Android and Horizon Client 4.6 for Chrome OS updates include:
Simple shortcuts – Users can right-click any application or desktop to add a shortcut to the home screen.
Webcam redirection – Integrated webcams on an Android device or a Chromebook are now available for redirection using the Real-Time Audio-Video (RTAV) feature.
HTML Access
HTML Access 4.6 updates include:
HTML Access on Android devices – Though HTML Access has fewer features than the native Horizon Client, it allows you to use remote desktops and published applications without installing software.
HTML Access page customization – Administrators can customize graphics and text and have those customizations persist through future upgrades.
Horizon Client for Linux
Horizon Client 4.6 updates include:
Support for Raspberry Pi 3 Model B devices:
ThinLinx operating system (TLXOS) or Stratodesk NoTouch operating system
Supported Horizon Client features include:
Blast Extreme
USB redirection
264 decoding
8000Hz and 16000Hz audio-in sample rate
RHEL/CentOS 7.4 support
Horizon Client for Windows 10 UWP
Horizon Client 4.6 updates include:
Network recovery improvements – Clients can recover from temporary network loss (up to 2 minutes). This feature was already available for Windows, macOS, Linux, iOS, and Android, and is now available for Windows 10 UWP.
Automatically reconnects Blast Extreme sessions
Reduces re-authentication prompts
We are excited about these new features in Horizon 7.3.1 and the Horizon Client 4.6. We hope that you will give them a try.
The latest set of Cumulative Updates for Exchange Server 2016 and Exchange Server 2013 are now available on the download center. These releases include fixes to customer reported issues, all previously reported security/quality issues and updated functionality.
Minimum supported Forest Functional Level is now 2008R2
In our blog post, Active Directory Forest Functional Levels for Exchange Server 2016, we informed customers that Exchange Server 2016 would enforce a minimum 2008R2 Forest Functional Level requirement for Active Directory. Cumulative Update 7 for Exchange Server 2016 will now enforce this requirement. This change will require all domain controllers in a forest where Exchange is installed to be running Windows Server 2008R2 or higher. Active Directory support for Exchange Server 2013 remains unchanged at this time.
Support for latest .NET Framework
The .NET team is preparing to release a new update to the framework, .NET Framework 4.7.1. The Exchange Team will include support for .NET Framework 4.7.1 in our December Quarterly updates for Exchange Server 2013 and 2016, at which point it will be optional. .NET Framework 4.7.1 will be required on Exchange Server 2013 and 2016 installations starting with our June 2018 quarterly releases. Customers should plan to upgrade to .NET Framework 4.7.1 between the December 2017 and June 2018 quarterly releases.
The Exchange team has decided to skip supporting .NET 4.7.0 with Exchange Server. We have done this not because of problems with the 4.7.0 version of the Framework, rather as an optimization to encourage adoption of the latest version.
Known unresolved issues in these releases
The following known issues exist in these releases and will be resolved in a future update:
Online Archive Folders created in O365 will not appear in the Outlook on the Web UI
Information protected e-Mails may show hyperlinks which are not fully translated to a supported, local language
Release Details
KB articles that describe the fixes in each release are available as follows:
Exchange Server 2016 Cumulative Update 7 does not include new updates to Active Directory Schema. If upgrading from an older Exchange version or installing a new server, Active Directory updates may still be required. These updates will apply automatically during setup if the logged on user has the required permissions. If the Exchange Administrator lacks permissions to update Active Directory Schema, a Schema Admin must execute SETUP /PrepareSchema prior to the first Exchange Server installation or upgrade. The Exchange Administrator should execute SETUP /PrepareAD to ensure RBAC roles are current.
Exchange Server 2013 Cumulative Update 18 does not include updates to Active Directory, but may add additional RBAC definitions to your existing configuration. PrepareAD should be executed prior to upgrading any servers to Cumulative Update 18. PrepareAD will run automatically during the first server upgrade if Exchange Setup detects this is required and the logged on user has sufficient permission.
Additional Information
Microsoft recommends all customers test the deployment of any update in their lab environment to determine the proper installation process for your production environment. For information on extending the schema and configuring Active Directory, please review the appropriate TechNet documentation.
Also, to prevent installation issues you should ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed. To verify the policy settings, run the Get-ExecutionPolicy cmdlet from PowerShell on the machine being upgraded. If the policies are NOT set to Unrestricted you should use the resolution steps in KB981474 to adjust the settings.
Reminder: Customers in hybrid deployments where Exchange is deployed on-premises and in the cloud, or who are using Exchange Online Archiving (EOA) with their on-premises Exchange deployment are required to deploy the most current (e.g., 2013 CU18, 2016 CU7) or the prior (e.g., 2013 CU17, 2016 CU6) Cumulative Update release.
CVE-2017-8559 – Microsoft Exchange Cross-Site Scripting Vulnerability
CVE-2017-8560 – Microsoft Exchange Cross-Site Scripting Vulnerability
Depending on the lifecycle status of the product, fixes are made available either through a Rollup or as a security fix for the following product levels:
As you might notice, the security fix is made available for the N-1 builds of Exchange 2013 and Exchange 2016. This could imply the issue was addressed in the latest builds of those products. I hope to receive official confirmation on this soon.
The issue is deemed Important, which means organizations are advised to apply these updates at the earliest opportunity. However, as with any update, it is recommended to thoroughly test updates and fixes prior to deploying them in a production environment.
On June 27, 2017 Microsoft has released its quarterly updates for Exchange 2013 and Exchange 2016. The current version is now at Exchange 2013 CU17 (15.0.1320.4) and Exchange 2016 CU6(15.1.1034.26) . But this time there are some interesting things I’d like to point out.
A couple of days before the release of Exchange 2016 CU6 (15.1.1034.26) Microsoft blogged about Sent Items Behavior Control and Original Folder Item Recovery. With the Sent Items Behavior Control, a message that’s sent using the Send As or Send on behalf of permission is not only stored in the mailbox of the user that actually sent the message, but a copy is also stored in the delegator mailbox sent items. This was already possible for shared mailboxes, but now it’s also possible for regular mailboxes (like manager/assistant scenarios).
The Original Folder Item Recovery feature is I guess on of the most requested features. In the past (before Exchange 2010) when items were restored after they were deleted, they were restored to their original location. With the Dumpster 2.0 that was introduced with Exchange 2010 this was no longer possible, and items were restored to the deleted items folder. In this case the items had to be moved manually to their original location. With the introduction of the Original Folder Item Recovery the restore of deleted items again takes place in the original folder.
Unfortunately, both Sent Items Behavior Control and Original Folder Item Recovery are only available in Exchange 2016 CU6 (and NOT in Exchange 2013 CU17).
When it comes to security TLS 1.2 is a hot topic. Microsoft is aware of this and working hard towards an Exchange environment that only uses TLS 1.2 (so that TLS 1.1 and TLS 1.0 can be disabled). We are not yet at that stage. Exchange 2016 CU6 does have improved support for TLS 1.2, but Microsoft is not encouraging customers to move to a TLS 1.2 environment only.
.NET Framework and Exchange server continues to be a difficult scenario. This is understandable, Exchange is just a consumer of Windows and .NET so the Exchange Product Group does not have much influence on the .NET (and Windows) Product Group.
Exchange 2016 CU6 does NOT support.NET Framework 4.7 at this moment, and you should NOT install .NET Framework on a server running Exchange 2016. Not before and not after the installation of Exchange 2016 CU6. This is also true for Exchange Server 2013 CU17. More information regarding .NET Framework and Exchange server can be found here: https://blogs.technet.microsoft.com/exchange/2017/06/13/net-framework-4-7-and-exchange-server/.
The .NET Framework 4.6.2 is supported by Exchange 2016 CU3 and higher and Exchange 2013 CU15 and higher. For a complete overview of which scenarios are supported, navigate to the Exchange Server Supportability Matrix on https://technet.microsoft.com/en-us/library/ff728623(v=exchg.150).aspx.
KB articles that describe the fixes, features and information in each release are available as follows:
Exchange Team announcing an update to our support policy for Windows Server 2016 and Exchange Server 2016. At this time we do not recommend customers install the Exchange Edge role on Windows Server 2016. We also do not recommend customers enable antispam agents on the Exchange Mailbox role on Windows Server 2016 as outlined in Enable antispam functionality on Mailbox servers.
Why are we making this change?
In our post Deprecating support for SmartScreen in Outlook and Exchange, Microsoft announced we will no longer publish content filter updates for Exchange Server. We believe that Exchange customers will receive a better experience using Exchange Online Protection (EOP) for content filtering. We are also making this recommendation due to a conflict with the SmartScreen Filters shipped for Windows, Microsoft Edge and Internet Explorer browsers. Customers running Exchange Server 2016 on Windows Server 2016 without KB4013429 installed will encounter an Exchange uninstall failure when decommissioning a server. The failure is caused by a collision between the content filters shipped by Exchange and Windows which have conflicting configuration information in the Windows registry. This collision also impacts customers who install KB4013429 on a functional Exchange Server. After the KB is applied, the Exchange Transport Service will crash on startup if the content filter agent is enabled on the Exchange Server. The Edge role enables the filter by default and does not have a supported method to permanently remove the content filter agent. The new behavior introduced by KB4013429, combined with our product direction to discontinue filter updates, is causing us to deprecate this functionality in Exchange Server 2016 more quickly if Windows Server 2016 is in use.
What about other operating systems supported by Exchange Server 2016?
Due to the discontinuance of SmartScreen Filter updates for Exchange server, we encourage all customers to stop relying upon this capability on all supported operating systems. Installing the Exchange Edge role on supported operating systems other than Windows Server 2016 is not changed by today’s announcement. The Edge role will continue to be supported on non-Windows Server 2016 operating systems subject to the operating system lifecycle outlined at https://support.microsoft.com/lifecycle.
Help! My services are already crashing or I want to proactively avoid this
If you used the Install-AntiSpamAgents.ps1 to install content filtering on the Mailbox role:
Find a suitable replacement for your email hygiene needs such as EOP or other 3rd party solution
Run the Uninstall-AntiSpamAgents.ps1 from the \Scripts folder created by Setup during Exchange installation
If you are running the Edge role on Windows Server 2016:
Delay deploying KB4013429 to your Edge role or uninstall the update if required to restore service
Deploy the Edge role on Windows Server 2012 or Windows Servers 2012R2 (Preferred)
Support services is available for customers who may need further assistance
Last week marks the end of support for the legacy synchronization tools which are used to connect on-premises Active Directory to Office 365 and Azure AD. Specifically Windows Azure Active Directory Sync (DirSync) and Azure AD Sync are the tools which are transitioning out of support at this time. Note also that version 1.0 of Azure Active Directory (AAD Connect) is also transitioning of support. The tools were previously marked as depreciated in April 2016.
The replacement for the older synchronization tools is Azure Active Directory Connect 1.1. Customers must have this version of AAD Connect deployed. This is the tool which is being actively maintained, and receives updates and fixes.
Azure AD will no longer accept communications from the unsupported tools as of December 31st 2017.
If you do need to upgrade, the relevant documentation is below:
Today, the Exchange Team released the March updates for Exchange Server 2013 and 2016, as well as Exchange Server 2010 and 2007. The latter will receive its last update, as Exchange 2007 will reach end-of-life April 11, 2017.
As announced in December updates, Exchange 2013 CU16 and Exchange 2016 CU5 require .NET 4.6.2. The recommended upgrade paths:
If you are still on .NET 4.6.1, you can upgrade to .NET 4.6.2 prior of after installing the latest Cumulative Update.
If you are on .NET 4.52, upgrade to Exchange 2016 CU4 or Exchange 2013 CU15 if you are not already on that level, then upgrade to .NET 4.6.2, and finally upgrade to the the latest Cumulative Update.
The Cumulative Updates also include DST changes, which is also contained in the latest Rollups published for Exchange 2010 and 2007.
Exchange 2016 CU5 doesn’t include schema changes, however, Exchange 2016 CU5 as well as Exchange 2013 CU16 may introduce RBAC changes in your environment. Where applicable, use setup /PrepareSchema to update the schema or /PrepareAD to apply RBAC changes, before deploying or updating Exchange servers. To verify this step has been performed, consult the Exchange schema overview.
When upgrading your Exchange 2013 or 2016 installation, don’t forget to put the server in maintenance mode when required. Do note that upgrading, before installing the Exchange binaries, setup will put the server in server-wide offline-mode.
Using Windows Management Framework (WMF)/PowerShell version 5 on anything earlier than Windows Server 2016 is not supported. Don’t install WMF5 on your Exchange servers running on Windows Server 2012 R2 or earlier.
When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are allowed to stay at least one version behind (n-1).
If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
The order of upgrading servers with Cumulative Updates is irrelevant.
Caution: As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.
